BGP Multihoming Techniques - APNICBGP Multihoming Techniques Philip Smith APRICOT 2013 Singapore...

BGP Multihoming Techniques

Philip Smith <[email protected]>

APRICOT 2013 Singapore

19th February – 1st March 2013

Presentation Slides p Will be available on

n  http://thyme.apnic.net/ftp/seminars/APRICOT2013-Multihoming.pdf

n  And on the APRICOT2013 website p  Feel free to ask questions any time

Preliminaries p  Tutorial has many configuration examples

n  Uses Cisco IOS CLI p Aimed at Service Providers

n  Techniques can be used by many enterprises too

BGP Multihoming Techniques p Why Multihome? p Definition & Options p How to Multihome p  Principles & Addressing p Basic Multihoming p Service Provider Multihoming p Using Communities

Why Multihome? It’s all about redundancy,

diversity & reliability

Why Multihome? p Redundancy

n  One connection to internet means the network is dependent on:

p  Local router (configuration, software, hardware) p  WAN media (physical failure, carrier failure) p  Upstream Service Provider (configuration, software,

hardware)

Why Multihome? p Reliability

n  Business critical applications demand continuous availability

n  Lack of redundancy implies lack of reliability implies loss of revenue

Why Multihome? p Supplier Diversity

n  Many businesses demand supplier diversity as a matter of course

n  Internet connection from two or more suppliers p  With two or more diverse WAN paths p  With two or more exit points p  With two or more international connections p  Two of everything

Why Multihome? p Not really a reason, but oft quoted… p  Leverage:

n  Playing one ISP off against the other for: p  Service Quality p  Service Offerings p  Availability

Why Multihome? p Summary:

n  Multihoming is easy to demand as requirement for any service provider or end-site network

n  But what does it really mean: p  In real life? p  For the network? p  For the Internet?

n  And how do we do it?


Multihoming: Definitions & Options

What does it mean, what do we need, and how do we do it?

Multihoming Definition p More than one link external to the local

network n  two or more links to the same ISP n  two or more links to different ISPs

p Usually two external facing routers n  one router gives link and provider redundancy

only

Autonomous System Number (ASN) p  Two ranges

n  0-65535 (original 16-bit range) n  65536-4294967295 (32-bit range – RFC4893)

p  Usage: n  0 and 65535 (reserved) n  1-64495 (public Internet) n  64496-64511 (documentation – RFC5398) n  64512-65534 (private use only) n  23456 (represent 32-bit range in 16-bit world) n  65536-65551 (documentation – RFC5398) n  65552-4294967295 (public Internet)

p  32-bit range representation specified in RFC5396 n  Defines “asplain” (traditional format) as standard notation

Autonomous System Number (ASN) p  ASNs are distributed by the Regional Internet

Registries n  They are also available from upstream ISPs who are

members of one of the RIRs n  Around 43000 are visible on the Internet

p  Current 16-bit ASN allocations up to 61439 have been made to the RIRs

p  Each RIR has also received a block of 32-bit ASNs n  Out of 3700 assignments, around 3300 are visible on

the Internet p  See www.iana.org/assignments/as-numbers

Private-AS – Application

p  Applications n  An ISP with customers

multihomed on their backbone (RFC2270) -or-

n  A corporate network with several regions but connections to the Internet only in the core -or-

n  Within a BGP Confederation

16

1880 193.0.34.0/24 65003

193.0.35.0/24

65002 193.0.33.0/24

65001 193.0.32.0/24

A

193.0.32.0/22 1880

B

C

Private-AS – Removal p  Private ASNs MUST be removed from all

prefixes announced to the public Internet n  Include configuration to remove private ASNs

in the eBGP template p As with RFC1918 address space, private

ASNs are intended for internal use n  They should not be leaked to the public

Internet p Cisco IOS

neighbor x.x.x.x remove-private-AS

Transit/Peering/Default p Transit

n  Carrying traffic across a network n  Usually for a fee

p Peering n  Exchanging locally sourced routing information

and traffic n  Usually for no fee n  Sometimes called settlement free peering

p Default n  Where to send traffic when there is no explicit

match in the routing table

Configuring Policy p  Three BASIC Principles for IOS

configuration examples throughout presentation: n  prefix-lists to filter prefixes n  filter-lists to filter ASNs n  route-maps to apply policy

p Route-maps can be used for filtering, but this is more “advanced” configuration

Policy Tools p  Local preference

n  outbound traffic flows p Metric (MED)

n  inbound traffic flows (local scope) p AS-PATH prepend

n  inbound traffic flows (Internet scope) p Communities

n  specific inter-provider peering

Originating Prefixes: Assumptions p MUST announce assigned address block to

Internet p MAY also announce subprefixes –

reachability is not guaranteed p Current minimum allocation is from /20

to /24 depending on the RIR n  Several ISPs filter RIR blocks on this boundary n  Several ISPs filter the rest of address space

according to the IANA assignments n  This activity is called “Net Police” by some

Originating Prefixes p  The RIRs publish their minimum allocation sizes per /8 address block

n  AfriNIC: www.afrinic.net/docs/policies/afpol-v4200407-000.htm n  APNIC: www.apnic.net/db/min-alloc.html n  ARIN: www.arin.net/reference/ip_blocks.html n  LACNIC: lacnic.net/en/registro/index.html n  RIPE NCC: www.ripe.net/ripe/docs/smallest-alloc-sizes.html n  Note that AfriNIC only publishes its current minimum allocation size, not

the allocation size for its address blocks p  IANA publishes the address space it has assigned to end-sites and

allocated to the RIRs: n  www.iana.org/assignments/ipv4-address-space

p  Several ISPs use this published information to filter prefixes on: n  What should be routed (from IANA) n  The minimum allocation size from the RIRs

“Net Police” prefix list issues p  Meant to “punish” ISPs who pollute the routing table with

specifics rather than announcing aggregates p  Impacts legitimate multihoming especially at the Internet’s

edge p  Impacts regions where domestic backbone is unavailable or

costs $$$ compared with international bandwidth p  Hard to maintain – requires updating when RIRs start

allocating from new address blocks p  Don’t do it unless consequences understood and you are

prepared to keep the list current n  Consider using the Team Cymru or other reputable bogon BGP

feed: n  www.team-cymru.org/Services/Bogons/routeserver.html


How to Multihome Choosing between transit and

peer

Transits p  Transit provider is another autonomous system

which is used to provide the local network with access to other networks n  Might be local or regional only n  But more usually the whole Internet

p  Transit providers need to be chosen wisely: n  Only one

p  no redundancy n  Too many

p  more difficult to load balance p  no economy of scale (costs more per Mbps) p  hard to provide service quality

p  Recommendation: at least two, no more than three

Common Mistakes p  ISPs sign up with too many transit providers

n  Lots of small circuits (cost more per Mbps than larger ones)

n  Transit rates per Mbps reduce with increasing transit bandwidth purchased

n  Hard to implement reliable traffic engineering that doesn’t need daily fine tuning depending on customer activities

p  No diversity n  Chosen transit providers all reached over same satellite

or same submarine cable n  Chosen transit providers have poor onward transit and

peering

Peers p  A peer is another autonomous system with which

the local network has agreed to exchange locally sourced routes and traffic

p  Private peer n  Private link between two providers for the purpose of

interconnecting p  Public peer

n  Internet Exchange Point, where providers meet and freely decide who they will interconnect with

p  Recommendation: peer as much as possible!

Common Mistakes p Mistaking a transit provider’s “Exchange”

business for a no-cost public peering point p Not working hard to get as much peering

as possible n  Physically near a peering point (IXP) but not

present at it n  (Transit sometimes is cheaper than peering!!)

p  Ignoring/avoiding competitors because they are competition n  Even though potentially valuable peering

partner to give customers a better experience

Multihoming Scenarios p Stub network p Multi-homed stub network p Multi-homed network p Multiple sessions to another AS

AS100 AS101

Stub Network

p  No need for BGP p  Point static default to upstream ISP p  Upstream ISP advertises stub network p  Policy confined within upstream ISP’s policy

AS100 AS65530

Multi-homed Stub Network

p  Use BGP (not IGP or static) to loadshare p  Use private AS (ASN > 64511) p  Upstream ISP advertises stub network p  Policy confined within upstream ISP’s policy

AS300 AS200

AS100

Global Internet

Multi-homed Network

p  Many situations possible n  multiple sessions to same ISP n  secondary for backup only n  load-share between primary and secondary n  selectively use different ISPs

AS 100

1.1.1.1

AS 200

Multiple Sessions to an AS – ebgp multihop p  Use ebgp-multihop

n  Run eBGP between loopback addresses n  eBGP prefixes learned with loopback address as

next hop

p  Cisco IOS router bgp 100 neighbor 1.1.1.1 remote-as 200 neighbor 1.1.1.1 ebgp-multihop 2

! ip route 1.1.1.1 255.255.255.255 serial 1/0 ip route 1.1.1.1 255.255.255.255 serial 1/1 ip route 1.1.1.1 255.255.255.255 serial 1/2

p  Common error made is to point remote loopback route at IP address rather than specific link

A

B

AS 200 AS 100

R1 R3

R2

Used Path Desired Path

Multiple Sessions to an AS – ebgp multihop p  One serious eBGP-multihop

caveat: n  R1 and R3 are eBGP peers

that are loopback peering n  Configured with: neighbor x.x.x.x ebgp-multihop 2

n  If the R1 to R3 link goes down the session could establish via R2

p  Usually happens when routing to remote loopback is dynamic, rather than static pointing at a link

Multiple Sessions to an ISP – ebgp multihop p  Try and avoid use of ebgp-multihop

unless: n  It’s absolutely necessary –or– n  Loadsharing across multiple links

p Many ISPs discourage its use, for example:

36

We will run eBGP multihop, but do not support it as a standard offering because customers generally have a hard time managing it due to: •  routing loops •  failure to realise that BGP session stability problems are usually due connectivity problems between their CPE and their BGP speaker

AS 100

AS 200

Multiple Sessions to an AS – bgp multi path p  Three BGP sessions required p  Platform limit on number of paths

(could be as little as 6) p  Full BGP feed makes this unwieldy

n  3 copies of Internet Routing Table goes into the FIB

router bgp 100 neighbor 1.1.2.1 remote-as 200 neighbor 1.1.2.5 remote-as 200 neighbor 1.1.2.9 remote-as 200 maximum-paths 3

AS 200

AS 201

C D

A B

Multiple Sessions to an AS – bgp attributes & filters p  Simplest scheme is to use

defaults p  Learn/advertise prefixes for

better control p  Planning and some work

required to achieve loadsharing n  Point default towards one ISP n  Learn selected prefixes from

second ISP n  Modify the number of prefixes

learnt to achieve acceptable load sharing

p  No magic solution


Basic Principles of Multihoming

Let’s learn to walk before we try running…

40

The Basic Principles p Announcing address space attracts traffic

n  (Unless policy in upstream providers interferes)

p Announcing the ISP aggregate out a link will result in traffic for that aggregate coming in that link

p Announcing a subprefix of an aggregate out a link means that all traffic for that subprefix will come in that link, even if the aggregate is announced somewhere else n  The most specific announcement wins! 41

The Basic Principles p  To split traffic between two links:

n  Announce the aggregate on both links - ensures redundancy

n  Announce one half of the address space on each link n  (This is the first step, all things being equal)

p  Results in: n  Traffic for first half of address space comes in first link n  Traffic for second half of address space comes in second

link n  If either link fails, the fact that the aggregate is

announced ensures there is a backup path

42

The Basic Principles p  The keys to successful multihoming

configuration: n  Keeping traffic engineering prefix

announcements independent of customer iBGP n  Understanding how to announce aggregates n  Understanding the purpose of announcing

subprefixes of aggregates n  Understanding how to manipulate BGP

attributes n  Too many upstreams/external paths makes

multihoming harder (2 or 3 is enough!) 43

IP Addressing & Multihoming

How Good IP Address Plans assist with Multihoming

44

IP Addressing & Multihoming p  IP Address planning is an important part of

Multihoming p  Previously have discussed separating:

n  Customer address space n  Customer p-t-p link address space n  Infrastructure p-t-p link address space n  Loopback address space

45

101.10.0.0/21

Customer Address & p-t-p links Infrastructure Loopbacks

/24 101.10.6.255 101.10.0.1 101.10.5.255

IP Addressing & Multihoming p  ISP Router loopbacks and backbone point to point

links make up a small part of total address space n  And they don’t attract traffic, unlike customer address

space p  Links from ISP Aggregation edge to customer

router needs one /30 n  Small requirements compared with total address space n  Some ISPs use IP unnumbered

p  Planning customer assignments is a very important part of multihoming n  Traffic engineering involves subdividing aggregate into

pieces until load balancing works 46

Unplanned IP addressing p  ISP fills up customer IP addressing from one end

of the range:

p  Customers generate traffic n  Dividing the range into two pieces will result in one /22

with all the customers, and one /22 with just the ISP infrastructure the addresses

n  No loadbalancing as all traffic will come in the first /22 n  Means further subdivision of the first /22 = harder work

47

101.10.0.0/21

Customer Addresses ISP

1 2 3 4 5

Planned IP addressing p  If ISP fills up customer addressing from both

ends of the range:

p  Scheme then is: n  First customer from first /22, second customer from

second /22, third from first /22, etc p  This works also for residential versus commercial

customers: n  Residential from first /22 n  Commercial from second /22

48

101.10.0.0/21

Customer Addresses ISP

1 3 5 7 9 2 4 6 8 10

Customer Addresses

Planned IP Addressing p  This works fine for multihoming between

two upstream links (same or different providers)

p Can also subdivide address space to suit more than two upstreams n  Follow a similar scheme for populating each

portion of the address space p Don’t forget to always announce an

aggregate out of each link

49


Basic Multihoming Let’s try some simple worked

examples…

Basic Multihoming p No frills multihoming p Will look at two cases:

n  Multihoming with the same ISP n  Multihoming to different ISPs

p Will keep the examples easy n  Understanding easy concepts will make the

more complex scenarios easier to comprehend n  All assume that the site multihoming has a /19

address block

Basic Multihoming p  This type is most commonplace at the

edge of the Internet n  Networks here are usually concerned with

inbound traffic flows n  Outbound traffic flows being “nearest exit” is

usually sufficient p Can apply to the leaf ISP as well as

Enterprise networks

Basic Multihoming Multihoming to the Same ISP

Basic Multihoming: Multihoming to the same ISP p Use BGP for this type of multihoming

n  use a private AS (ASN > 64511) n  There is no need or justification for a public

ASN p  Making the nets of the end-site visible gives no useful

information to the Internet

p Upstream ISP proxy aggregates n  in other words, announces only your address

block to the Internet from their AS (as would be done if you had one statically routed connection)

Two links to the same ISP One link primary, the other link

backup only

Two links to the same ISP (one as backup only) p Applies when end-site has bought a large

primary WAN link to their upstream a small secondary WAN link as the backup n  For example, primary path might be an E1,

backup might be 64kbps

AS 100 AS 65534 A C

D E B

primary

backup

Two links to the same ISP (one as backup only)

p AS100 removes private AS and any customer subprefixes from Internet announcement

Two links to the same ISP (one as backup only) p Announce /19 aggregate on each link

n  primary link: p  Outbound – announce /19 unaltered p  Inbound – receive default route

n  backup link: p  Outbound – announce /19 with increased metric p  Inbound – received default, and reduce local

preference

p When one link fails, the announcement of the /19 aggregate via the other link ensures continued connectivity

Two links to the same ISP (one as backup only) p  Router A Configuration

router bgp 65534 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.2 remote-as 100 neighbor 122.102.10.2 description RouterC neighbor 122.102.10.2 prefix-list aggregate out neighbor 122.102.10.2 prefix-list default in ! ip prefix-list aggregate permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 121.10.0.0 255.255.224.0 null0

60

Two links to the same ISP (one as backup only) p  Router B Configuration

router bgp 65534 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.6 remote-as 100 neighbor 122.102.10.6 description RouterD neighbor 122.102.10.6 prefix-list aggregate out neighbor 122.102.10.6 route-map routerD-out out neighbor 122.102.10.6 prefix-list default in neighbor 122.102.10.6 route-map routerD-in in !

..next slide

61

Two links to the same ISP (one as backup only)

ip prefix-list aggregate permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 121.10.0.0 255.255.224.0 null0 ! route-map routerD-out permit 10 set metric 10 ! route-map routerD-in permit 10 set local-preference 90 !

62

Two links to the same ISP (one as backup only) p  Router C Configuration (main link)

router bgp 100 neighbor 122.102.10.1 remote-as 65534 neighbor 122.102.10.1 default-originate neighbor 122.102.10.1 prefix-list Customer in neighbor 122.102.10.1 prefix-list default out ! ip prefix-list Customer permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0

63

Two links to the same ISP (one as backup only) p  Router D Configuration (backup link)

router bgp 100 neighbor 122.102.10.5 remote-as 65534 neighbor 122.102.10.5 default-originate neighbor 122.102.10.5 prefix-list Customer in neighbor 122.102.10.5 prefix-list default out ! ip prefix-list Customer permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0

64

Two links to the same ISP (one as backup only) p  Router E Configuration

router bgp 100 neighbor 122.102.10.17 remote-as 110 neighbor 122.102.10.17 remove-private-AS neighbor 122.102.10.17 prefix-list Customer out ! ip prefix-list Customer permit 121.10.0.0/19

p  Router E removes the private AS and customer’s subprefixes from external announcements

p  Private AS still visible inside AS100

65

Two links to the same ISP With Loadsharing

Loadsharing to the same ISP p More common case p  End sites tend not to buy circuits and

leave them idle, only used for backup as in previous example

p  This example assumes equal capacity circuits n  Unequal capacity circuits requires more

refinement – see later

Loadsharing to the same ISP

p  Border router E in AS100 removes private AS and any customer subprefixes from Internet announcement

68

AS 100 AS 65534 A C

D E B

Link one

Link two

Loadsharing to the same ISP p  Announce /19 aggregate on each link p  Split /19 and announce as two /20s, one on each

link n  basic inbound loadsharing n  assumes equal circuit capacity and even spread of traffic

across address block p  Vary the split until “perfect” loadsharing achieved p  Accept the default from upstream

n  basic outbound loadsharing by nearest exit n  okay in first approx as most ISP and end-site traffic is

inbound

Loadsharing to the same ISP (with redundancy) p  Router A Configuration

router bgp 65534 network 121.10.0.0 mask 255.255.224.0 network 121.10.0.0 mask 255.255.240.0 neighbor 122.102.10.2 remote-as 100 neighbor 122.102.10.2 prefix-list routerC out neighbor 122.102.10.2 prefix-list default in ! ip prefix-list default permit 0.0.0.0/0 ip prefix-list routerC permit 121.10.0.0/20 ip prefix-list routerC permit 121.10.0.0/19 ! ip route 121.10.0.0 255.255.240.0 null0 ip route 121.10.0.0 255.255.224.0 null0

70

Loadsharing to the same ISP (with redundancy) p  Router C Configuration

router bgp 100 neighbor 122.102.10.1 remote-as 65534 neighbor 122.102.10.1 default-originate neighbor 122.102.10.1 prefix-list Customer in neighbor 122.102.10.1 prefix-list default out ! ip prefix-list Customer permit 121.10.0.0/19 le 20 ip prefix-list default permit 0.0.0.0/0

p  Router C only allows in /19 and /20 prefixes from customer block

p  Router D configuration is identical

71

Loadsharing to the same ISP (with redundancy) p  Router E Configuration

router bgp 100 neighbor 122.102.10.17 remote-as 110 neighbor 122.102.10.17 remove-private-AS neighbor 122.102.10.17 prefix-list Customer out ! ip prefix-list Customer permit 121.10.0.0/19

p  Private AS still visible inside AS100

72

Loadsharing to the same ISP (with redundancy) p Default route for outbound traffic?

n  Use default-information originate for the IGP and rely on IGP metrics for nearest exit

n  e.g. on router A:

router ospf 65534 default-information originate metric 2 metric-type 1

73

Loadsharing to the same ISP p  Loadsharing configuration is only on

customer router p Upstream ISP has to

n  remove customer subprefixes from external announcements

n  remove private AS from external announcements

p Could also use BGP communities

Two links to the same ISP Multiple Dualhomed Customers

(RFC2270)

Multiple Dualhomed Customers (RFC2270) p Unusual for an ISP just to have one

dualhomed customer n  Valid/valuable service offering for an ISP with

multiple PoPs n  Better for ISP than having customer multihome

with another provider! p  Look at scaling the configuration

n  ⇒ Simplifying the configuration n  Using templates, peer-groups, etc n  Every customer has the same configuration

(basically)

Multiple Dualhomed Customers (RFC2270)

p  Border router E in AS100 removes private AS and any customer subprefixes from Internet announcement 77

AS 100 AS 65534 A1 C

D E

B1

AS 65534 B2

AS 65534 A3

B3

A2

Multiple Dualhomed Customers (RFC2270) p Customer announcements as per previous

example p Use the same private AS for each

customer n  documented in RFC2270 n  address space is not overlapping n  each customer hears default only

p Router An and Bn configuration same as Router A and B previously

Multiple Dualhomed Customers (RFC2270) p  Router A1 Configuration

router bgp 65534 network 121.10.0.0 mask 255.255.224.0 network 121.10.0.0 mask 255.255.240.0 neighbor 122.102.10.2 remote-as 100 neighbor 122.102.10.2 prefix-list routerC out neighbor 122.102.10.2 prefix-list default in ! ip prefix-list default permit 0.0.0.0/0 ip prefix-list routerC permit 121.10.0.0/20 ip prefix-list routerC permit 121.10.0.0/19 ! ip route 121.10.0.0 255.255.240.0 null0 ip route 121.10.0.0 255.255.224.0 null0

79

Multiple Dualhomed Customers (RFC2270) p  Router C Configuration

router bgp 100 neighbor bgp-customers peer-group neighbor bgp-customers remote-as 65534 neighbor bgp-customers default-originate neighbor bgp-customers prefix-list default out neighbor 122.102.10.1 peer-group bgp-customers neighbor 122.102.10.1 description Customer One neighbor 122.102.10.1 prefix-list Customer1 in neighbor 122.102.10.9 peer-group bgp-customers neighbor 122.102.10.9 description Customer Two neighbor 122.102.10.9 prefix-list Customer2 in

80

Multiple Dualhomed Customers (RFC2270)

neighbor 122.102.10.17 peer-group bgp-customers neighbor 122.102.10.17 description Customer Three neighbor 122.102.10.17 prefix-list Customer3 in ! ip prefix-list Customer1 permit 121.10.0.0/19 le 20 ip prefix-list Customer2 permit 121.16.64.0/19 le 20 ip prefix-list Customer3 permit 121.14.192.0/19 le 20 ip prefix-list default permit 0.0.0.0/0

p  Router C only allows in /19 and /20 prefixes from customer block

81

Multiple Dualhomed Customers (RFC2270) p  Router E Configuration

n  assumes customer address space is not part of upstream’s address block

router bgp 100 neighbor 122.102.10.17 remote-as 110 neighbor 122.102.10.17 remove-private-AS neighbor 122.102.10.17 prefix-list Customers out ! ip prefix-list Customers permit 121.10.0.0/19 ip prefix-list Customers permit 121.16.64.0/19 ip prefix-list Customers permit 121.14.192.0/19

p  Private AS still visible inside AS100 82

Multiple Dualhomed Customers (RFC2270) p  If customers’ prefixes come from ISP’s address

block n  do NOT announce them to the Internet n  announce ISP aggregate only

p  Router E configuration: router bgp 100 neighbor 122.102.10.17 remote-as 110 neighbor 122.102.10.17 prefix-list my-aggregate out ! ip prefix-list my-aggregate permit 121.8.0.0/13

83

Multihoming Summary p Use private AS for multihoming to the

same upstream p  Leak subprefixes to upstream only to aid

loadsharing p Upstream router E configuration is

identical across all situations

84

Basic Multihoming Multihoming to different ISPs

Two links to different ISPs p Use a Public AS

n  Or use private AS if agreed with the other ISP n  But some people don’t like the “inconsistent-

AS” which results from use of a private-AS p Address space comes from

n  both upstreams or n  Regional Internet Registry

p Configuration concepts very similar

Inconsistent-AS?

p  Viewing the prefixes originated by AS65534 in the Internet shows they appear to be originated by both AS210 and AS200 n  This is NOT bad n  Nor is it illegal

p  IOS command is show ip bgp inconsistent-as

87

AS 200

AS 65534

AS 210

Internet

Two links to different ISPs

One link primary, the other link backup only

Two links to different ISPs (one as backup only)

89

AS 100 AS 120

AS 130

C D Announce /19 block with longer AS PATH

Internet

Announce /19 block B A

Two links to different ISPs (one as backup only) p Announce /19 aggregate on each link

n  primary link makes standard announcement n  backup link lengthens the AS PATH by using

AS PATH prepend p When one link fails, the announcement of

the /19 aggregate via the other link ensures continued connectivity

Two links to different ISPs (one as backup only) p  Router A Configuration

router bgp 130 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.1 remote-as 100 neighbor 122.102.10.1 prefix-list aggregate out neighbor 122.102.10.1 prefix-list default in ! ip prefix-list aggregate permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 121.10.0.0 255.255.224.0 null0

91

Two links to different ISPs (one as backup only) p  Router B Configuration

router bgp 130 network 121.10.0.0 mask 255.255.224.0 neighbor 120.1.5.1 remote-as 120 neighbor 120.1.5.1 prefix-list aggregate out neighbor 120.1.5.1 route-map routerD-out out neighbor 120.1.5.1 prefix-list default in neighbor 120.1.5.1 route-map routerD-in in ! ip prefix-list aggregate permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! route-map routerD-out permit 10 set as-path prepend 130 130 130 ! route-map routerD-in permit 10 set local-preference 80

92

Two links to different ISPs (one as backup only) p Not a common situation as most sites tend

to prefer using whatever capacity they have n  (Useful when two competing ISPs agree to

provide mutual backup to each other) p But it shows the basic concepts of using

local-prefs and AS-path prepends for engineering traffic in the chosen direction


With Loadsharing

Two links to different ISPs (with loadsharing)

95

AS 100 AS 120

AS 130

C D Announce second /20 and /19 block

Internet

Announce first /20 and /19 block B A

Two links to different ISPs (with loadsharing) p Announce /19 aggregate on each link p Split /19 and announce as two /20s, one

on each link n  basic inbound loadsharing

p When one link fails, the announcement of the /19 aggregate via the other ISP ensures continued connectivity

Two links to different ISPs (with loadsharing) p  Router A Configuration

router bgp 130 network 121.10.0.0 mask 255.255.224.0 network 121.10.0.0 mask 255.255.240.0 neighbor 122.102.10.1 remote-as 100 neighbor 122.102.10.1 prefix-list firstblock out neighbor 122.102.10.1 prefix-list default in ! ip prefix-list default permit 0.0.0.0/0 ! ip prefix-list firstblock permit 121.10.0.0/20 ip prefix-list firstblock permit 121.10.0.0/19

97

Two links to different ISPs (with loadsharing) p  Router B Configuration

router bgp 130 network 121.10.0.0 mask 255.255.224.0 network 121.10.16.0 mask 255.255.240.0 neighbor 120.1.5.1 remote-as 120 neighbor 120.1.5.1 prefix-list secondblock out neighbor 120.1.5.1 prefix-list default in ! ip prefix-list default permit 0.0.0.0/0 ! ip prefix-list secondblock permit 121.10.16.0/20 ip prefix-list secondblock permit 121.10.0.0/19

98

Two links to different ISPs (with loadsharing) p  Loadsharing in this case is very basic p But shows the first steps in designing a

load sharing solution n  Start with a simple concept n  And build on it…!


More Controlled Loadsharing

Loadsharing with different ISPs

101

AS 100 AS 120

AS 130

C D Announce /20 subprefix, and /19 block with longer AS path

Internet

Announce /19 block B A

Loadsharing with different ISPs p Announce /19 aggregate on each link

n  On first link, announce /19 as normal n  On second link, announce /19 with longer AS

PATH, and announce one /20 subprefix p  controls loadsharing between upstreams and the

Internet

p Vary the subprefix size and AS PATH length until “perfect” loadsharing achieved

p Still require redundancy!

Loadsharing with different ISPs p  Router A Configuration

router bgp 130 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.1 remote-as 100 neighbor 122.102.10.1 prefix-list default in neighbor 122.102.10.1 prefix-list aggregate out ! ip prefix-list aggregate permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 121.10.0.0 255.255.224.0 null0

103

Loadsharing with different ISPs p  Router B Configuration

router bgp 130 network 121.10.0.0 mask 255.255.224.0 network 121.10.16.0 mask 255.255.240.0 neighbor 120.1.5.1 remote-as 120 neighbor 120.1.5.1 prefix-list default in neighbor 120.1.5.1 prefix-list subblocks out neighbor 120.1.5.1 route-map routerD out ! route-map routerD permit 10 match ip address prefix-list aggregate set as-path prepend 130 130 route-map routerD permit 20 ! ip prefix-list subblocks permit 121.10.0.0/19 le 20 ip prefix-list aggregate permit 121.10.0.0/19

104

Loadsharing with different ISPs p  This example is more commonplace p Shows how ISPs and end-sites subdivide

address space frugally, as well as use the AS-PATH prepend concept to optimise the load sharing between different ISPs

p Notice that the /19 aggregate block is ALWAYS announced

BGP Multihoming Techniques p Why Multihome? p Definition & Options p How to Multihome p  Principles & Addressing p Basic Multihoming p  “BGP Traffic Engineering” p Using Communities

Service Provider Multihoming

BGP Traffic Engineering

Service Provider Multihoming p  Previous examples dealt with loadsharing

inbound traffic n  Of primary concern at Internet edge n  What about outbound traffic?

p  Transit ISPs strive to balance traffic flows in both directions n  Balance link utilisation n  Try and keep most traffic flows symmetric n  Some edge ISPs try and do this too

p  The original “Traffic Engineering”

Service Provider Multihoming p Balancing outbound traffic requires

inbound routing information n  Common solution is “full routing table” n  Rarely necessary

p  Why use the “routing mallet” to try solve loadsharing problems?

n  “Keep It Simple” is often easier (and $$$ cheaper) than carrying N-copies of the full routing table

Service Provider Multihoming MYTHS!! Common MYTHS 1.  You need the full routing table to multihome

n  People who sell router memory would like you to believe this n  Only true if you are a transit provider n  Full routing table can be a significant hindrance to multihoming

2.  You need a BIG router to multihome n  Router size is related to data rates, not running BGP n  In reality, to multihome, your router needs to:

p  Have two interfaces, p  Be able to talk BGP to at least two peers, p  Be able to handle BGP attributes, p  Handle at least one prefix

3.  BGP is complex n  In the wrong hands, yes it can be! Keep it Simple!

Service Provider Multihoming: Some Strategies p  Take the prefixes you need to aid traffic

engineering n  Look at NetFlow data for popular sites

p  Prefixes originated by your immediate neighbours and their neighbours will do more to aid load balancing than prefixes from ASNs many hops away n  Concentrate on local destinations

p Use default routing as much as possible n  Or use the full routing table with care

Service Provider Multihoming p  Examples

n  One upstream, one local peer n  One upstream, local exchange point n  Two upstreams, one local peer

p Require BGP and a public ASN p  Examples assume that the local network

has their own /19 address block


One upstream, one local peer

One Upstream, One Local Peer p Very common situation in many regions of

the Internet p Connect to upstream transit provider to

see the “Internet” p Connect to the local competition so that

local traffic stays local n  Saves spending valuable $ on upstream transit

costs for local traffic

AS 110

C

A

Upstream ISP

AS130

Local Peer

AS120

One Upstream, One Local Peer

One Upstream, One Local Peer p Announce /19 aggregate on each link p Accept default route only from upstream

n  Either 0.0.0.0/0 or a network which can be used as default

p Accept all routes from local peer

One Upstream, One Local Peer p  Router A Configuration

router bgp 110 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.2 remote-as 120 neighbor 122.102.10.2 prefix-list my-block out neighbor 122.102.10.2 prefix-list AS120-peer in ! ip prefix-list AS120-peer permit 122.5.16.0/19 ip prefix-list AS120-peer permit 121.240.0.0/20 ip prefix-list my-block permit 121.10.0.0/19 ! ip route 121.10.0.0 255.255.224.0 null0 250

117

Prefix filters inbound

One Upstream, One Local Peer p  Router A – Alternative Configuration

router bgp 110 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.2 remote-as 120 neighbor 122.102.10.2 prefix-list my-block out neighbor 122.102.10.2 filter-list 10 in ! ip as-path access-list 10 permit ^(120_)+$ ! ip prefix-list my-block permit 121.10.0.0/19 ! ip route 121.10.0.0 255.255.224.0 null0

118

AS Path filters – more “trusting”

One Upstream, One Local Peer p  Router C Configuration

router bgp 110 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.1 remote-as 130 neighbor 122.102.10.1 prefix-list default in neighbor 122.102.10.1 prefix-list my-block out ! ip prefix-list my-block permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 121.10.0.0 255.255.224.0 null0

119

One Upstream, One Local Peer p  Two configurations possible for Router A

n  Filter-lists assume peer knows what they are doing

n  Prefix-list higher maintenance, but safer n  Some ISPs use both

p  Local traffic goes to and from local peer, everything else goes to upstream

Aside: Configuration Recommendations p  Private Peers

n  The peering ISPs exchange prefixes they originate

n  Sometimes they exchange prefixes from neighbouring ASNs too

p Be aware that the private peer eBGP router should carry only the prefixes you want the private peer to receive n  Otherwise they could point a default route to

you and unintentionally transit your backbone


One upstream, Local Exchange Point

One Upstream, Local Exchange Point p Very common situation in many regions of

the Internet p Connect to upstream transit provider to

see the “Internet” p Connect to the local Internet Exchange

Point so that local traffic stays local n  Saves spending valuable $ on upstream transit


One Upstream, Local Exchange Point

AS 110

C

A

Upstream ISP

AS130 IXP

One Upstream, Local Exchange Point p Announce /19 aggregate to every

neighbouring AS p Accept default route only from upstream


p Accept all routes originated by IXP peers

One Upstream, Local Exchange Point p  Router A Configuration

interface fastethernet 0/0 description Exchange Point LAN ip address 120.5.10.1 mask 255.255.255.224 ! router bgp 110 neighbor ixp-peers peer-group neighbor ixp-peers prefix-list my-block out neighbor ixp-peers remove-private-AS neighbor ixp-peers send-community neighbor ixp-peers route-map set-local-pref in …next slide

126


neighbor 120.5.10.2 remote-as 100 neighbor 120.5.10.2 peer-group ixp-peers neighbor 120.5.10.2 prefix-list peer100 in neighbor 120.5.10.3 remote-as 101 neighbor 120.5.10.3 peer-group ixp-peers neighbor 120.5.10.3 prefix-list peer101 in neighbor 120.5.10.4 remote-as 102 neighbor 120.5.10.4 peer-group ixp-peers neighbor 120.5.10.4 prefix-list peer102 in neighbor 120.5.10.5 remote-as 103 neighbor 120.5.10.5 peer-group ixp-peers neighbor 120.5.10.5 prefix-list peer103 in ...next slide

127


! ip prefix-list my-block permit 121.10.0.0/19 ip prefix-list peer100 permit 122.0.0.0/19 ip prefix-list peer101 permit 122.30.0.0/19 ip prefix-list peer102 permit 122.12.0.0/19 ip prefix-list peer103 permit 122.18.128.0/19 ! route-map set-local-pref permit 10 set local-preference 150 !

128

One Upstream, Local Exchange p  Note that Router A does not generate the

aggregate for AS110 n  If Router A becomes disconnected from backbone, then

the aggregate is no longer announced to the IX n  BGP failover works as expected

p  Note the inbound route-map which sets the local preference higher than the default n  This ensures that BGP Best Path for local traffic will be

across the IXP

One Upstream, Local Exchange Point p  Router C Configuration


130

One Upstream, Local Exchange Point p Note Router A configuration

n  Prefix-list higher maintenance, but safer n  No generation of AS110 aggregate

p  IXP traffic goes to and from local IXP, everything else goes to upstream

Aside: IXP Configuration Recommendations p  IXP peers

n  The peering ISPs at the IXP exchange prefixes they originate n  Sometimes they exchange prefixes from neighbouring ASNs

too p  Be aware that the IXP border router should carry only the

prefixes you want the IXP peers to receive and the destinations you want them to be able to reach n  Otherwise they could point a default route to you and

unintentionally transit your backbone p  If IXP router is at IX, and distant from your backbone

n  Don’t originate your address block at your IXP router


Two Upstreams, One local peer

Two Upstreams, One Local Peer p Connect to both upstream transit

providers to see the “Internet” n  Provides external redundancy and diversity –

the reason to multihome p Connect to the local peer so that local

traffic stays local n  Saves spending valuable $ on upstream transit


Two Upstreams, One Local Peer

AS 110

C

A

Upstream ISP

AS140

Local Peer

AS120 D

Upstream ISP

AS130

Two Upstreams, One Local Peer p Announce /19 aggregate on each link p Accept default route only from upstreams


p Accept all routes from local peer p Note separation of Router C and D

n  Single edge router means no redundancy p Router A

n  Same routing configuration as in example with one upstream and one local peer

Two Upstreams, One Local Peer p  Router C Configuration


137

Two Upstreams, One Local Peer p  Router D Configuration


138

Two Upstreams, One Local Peer p  This is the simple configuration for

Router C and D p  Traffic out to the two upstreams will take

nearest exit n  Inexpensive routers required n  This is not useful in practice especially for

international links n  Loadsharing needs to be better

139

Two Upstreams, One Local Peer p Better configuration options:

n  Accept full routing from both upstreams p  Expensive & unnecessary!

n  Accept default from one upstream and some routes from the other upstream

p  The way to go!

140

Loadsharing with different ISPs

141

AS 130

AS 140

AS 110

Internet

D C

Transit Cust1

Cust2

Cust3

Cust4

Cust5

Two Upstreams, One Local Peer Full Routes p  Router C Configuration

router bgp 110 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.1 remote-as 130 neighbor 122.102.10.1 prefix-list rfc1918-deny in neighbor 122.102.10.1 prefix-list my-block out neighbor 122.102.10.1 route-map AS130-loadshare in ! ip prefix-list my-block permit 121.10.0.0/19 ! See www.cymru.com/Documents/bogon-list.html ! ...for “RFC1918 and friends” list ...next slide

142

Allow all prefixes in apart from RFC1918 and friends

Two Upstreams, One Local Peer Full Routes

ip route 121.10.0.0 255.255.224.0 null0 ! ip as-path access-list 10 permit ^(130_)+$ ip as-path access-list 10 permit ^(130_)+_[0-9]+$ ! route-map AS130-loadshare permit 10 match ip as-path 10 set local-preference 120 ! route-map AS130-loadshare permit 20 set local-preference 80 !

143

Two Upstreams, One Local Peer Full Routes p  Router D Configuration

router bgp 110 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.5 remote-as 140 neighbor 122.102.10.5 prefix-list rfc1918-deny in neighbor 122.102.10.5 prefix-list my-block out ! ip prefix-list my-block permit 121.10.0.0/19 ! See www.cymru.com/Documents/bogon-list.html ! ...for “RFC1918 and friends” list

144

Allow all prefixes in apart from RFC1918 and friends

Two Upstreams, One Local Peer Full Routes p Router C configuration:

n  Accept full routes from AS130 n  Tag prefixes originated by AS130 and AS130’s

neighbouring ASes with local preference 120 p  Traffic to those ASes will go over AS130 link

n  Remaining prefixes tagged with local preference of 80

p  Traffic to other all other ASes will go over the link to AS140

p Router D configuration same as Router C without the route-map

Two Upstreams, One Local Peer Full Routes p  Full routes from upstreams

n  Summary of routes received:

ASN Full Routes Partial Routes AS140 430000 @ lp100 AS130 30000 @ lp 120

400000 @ lp 80 Total 860000

Two Upstreams, One Local Peer Full Routes p  Full routes from upstreams

n  Expensive – needs lots of memory and CPU n  Need to play preference games n  Previous example is only an example – real life

will need improved fine-tuning! n  Previous example doesn’t consider inbound

traffic – see earlier in presentation for examples

Two Upstreams, One Local Peer Partial Routes: Strategy p Ask one upstream for a default route

n  Easy to originate default towards a BGP neighbour

p Ask other upstream for a full routing table n  Then filter this routing table based on

neighbouring ASN n  E.g. want traffic to their neighbours to go over

the link to that ASN n  Most of what upstream sends is thrown away n  Easier than asking the upstream to set up

custom BGP filters for you

Two Upstreams, One Local Peer Partial Routes p  Router C Configuration

router bgp 110 network 121.10.0.0 mask 255.255.224.0 neighbor 122.102.10.1 remote-as 130 neighbor 122.102.10.1 prefix-list rfc1918-nodef-deny in neighbor 122.102.10.1 prefix-list my-block out neighbor 122.102.10.1 filter-list 10 in neighbor 122.102.10.1 route-map tag-default-low in !

...next slide

149

Allow all prefixes and default in; deny RFC1918 and friends

AS filter list filters prefixes based on origin ASN

Two Upstreams, One Local Peer Partial Routes

ip prefix-list my-block permit 121.10.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 121.10.0.0 255.255.224.0 null0 ! ip as-path access-list 10 permit ^(130_)+$ ip as-path access-list 10 permit ^(130_)+_[0-9]+$ ! route-map tag-default-low permit 10 match ip address prefix-list default set local-preference 80 ! route-map tag-default-low permit 20 !

150

Two Upstreams, One Local Peer Partial Routes p  Router D Configuration


151

Two Upstreams, One Local Peer Partial Routes p Router C configuration:

n  Accept full routes from AS130 p  (or get them to send less)

n  Filter ASNs so only AS130 and AS130’s neighbouring ASes are accepted

n  Allow default, and set it to local preference 80 n  Traffic to those ASes will go over AS130 link n  Traffic to other all other ASes will go over the

link to AS140 n  If AS140 link fails, backup via AS130 – and

vice-versa 152

Two Upstreams, One Local Peer Partial Routes p  Partial routes from upstreams

n  Summary of routes received:

ASN Full Routes Partial Routes AS140 430000 @ lp100 1 @ lp 100 AS130 30000 @ lp 120

400000 @ lp 80 30000 @ lp 100 1 @ lp 80

Total 860000 30002

Two Upstreams, One Local Peer Partial Routes p  Router C IGP Configuration

router ospf 110 default-information originate metric 30 passive-interface Serial 0/0 ! ip route 0.0.0.0 0.0.0.0 serial 0/0 254

p  Router D IGP Configuration router ospf 110 default-information originate metric 10 passive-interface Serial 0/0 ! ip route 0.0.0.0 0.0.0.0 serial 0/0 254


n  Use OSPF to determine outbound path n  Router D default has metric 10 – primary

outbound path n  Router C default has metric 30 – backup

outbound path n  Serial interface goes down, static default is

removed from routing table, OSPF default withdrawn


n  Not expensive – only carry the routes necessary for loadsharing

n  Need to filter on AS paths n  Previous example is only an example – real life

will need improved fine-tuning! n  Previous example doesn’t consider inbound

traffic – see earlier in presentation for examples

Aside: Configuration Recommendation p When distributing internal default by iBGP

or OSPF/ISIS n  Make sure that routers connecting to private

peers or to IXPs do NOT carry the default route n  Otherwise they could point a default route to

you and unintentionally transit your backbone n  Simple fix for Private Peer/IXP routers:

ip route 0.0.0.0 0.0.0.0 null0

BGP Multihoming Techniques p Why Multihome? p Definition & Options p How to Multihome p  Principles & Addressing p Basic Multihoming p  “BGP Traffic Engineering” p Using Communities

Using Communities for BGP Traffic Engineering

How they are used in practice for multihoming

Multihoming and Communities p  The BGP community attribute is a very

powerful tool for assisting and scaling BGP Multihoming

p Most major ISPs make extensive use of BGP communities: n  Internal policies n  Inter-provider relationships (MED replacement) n  Customer traffic engineering

160

Using BGP Communities p  Three scenarios are covered:

n  Use of RFC1998 traffic engineering n  Extending RFC 1998 ideas for even greater

customer policy options n  Community use in ISP backbones

161

RFC1998 p  Informational RFC p Describes how to implement loadsharing

and backup on multiple inter-AS links n  BGP communities used to determine local

preference in upstream’s network p Gives control to the customer

n  Means the customer does not have to phone upstream’s technical support to adjust traffic engineering needs

p Simplifies upstream’s configuration n  simplifies network operation! 162

RFC1998 p  RFC1998 Community values are defined to have

particular meanings p  ASx:100 set local preference 100

n  Make this the preferred path p  ASx :90 set local preference 90

n  Make this the backup if dualhomed on ASx

p  ASx :80 set local preference 80 n  The main link is to another ISP with same AS path

length p  ASx :70 set local preference 70

n  The main link is to another ISP

163

RFC1998 p  Upstream ISP defines the communities mentioned p  Their customers then attach the communities

they want to use to the prefix announcements they are making

p  For example: n  If upstream is AS 100 n  To declare a particular path as a backup path, their

customer would announce the prefix with community 100:70 to AS100

n  AS100 would receive the prefix with the community 100:70 tag, and then set local preference to be 70

164

RFC1998 p  Sample Customer Router Configuration

router bgp 130 neighbor x.x.x.x remote-as 100 neighbor x.x.x.x description Backup ISP neighbor x.x.x.x route-map as100-out out neighbor x.x.x.x send-community ! ip as-path access-list 20 permit ^$ ! route-map as100-out permit 10 match as-path 20 set community 100:70 !

165

RFC1998 p  Sample ISP Router Configuration

router bgp 100 neighbor y.y.y.y remote-as 130 neighbor y.y.y.y route-map customer-policy-in in ! ! Homed to another ISP ip community-list 7 permit 100:70 ! Homed to another ISP with equal ASPATH length ip community-list 8 permit 100:80 ! Customer backup routes ip community-list 9 permit 100:90 !

166

RFC1998 route-map customer-policy-in permit 10 match community 7 set local-preference 70 ! route-map customer-policy-in permit 20 match community 8 set local-preference 80 ! route-map customer-policy-in permit 30 match community 9 set local-preference 90 ! route-map customer-policy-in permit 40 set local-preference 100 ! 167

RFC1998 p  RFC1998 was the inspiration for a large variety of

differing community policies implemented by ISPs worldwide

p  There are no “standard communities” for what ISPs do

p  But best practices today consider that ISPs should use BGP communities extensively for multihoming support of traffic engineering

p  Look in the ISP AS Object in the IRR for documented community support

168

Service Provider use of Communities

RFC1998 was so inspiring…

169

Background p RFC1998 is okay for “simple” multihoming

situations p  ISPs create backbone support for many

other communities to handle more complex situations n  Simplify ISP BGP configuration n  Give customer more policy control

170

ISP BGP Communities p  There are no recommended ISP BGP communities apart from

n  RFC1998 n  The five standard communities

p  www.iana.org/assignments/bgp-well-known-communities p  Efforts have been made to document from time to time

n  totem.info.ucl.ac.be/publications/papers-elec-versions/draft-quoitin-bgp-comm-survey-00.pdf

n  But so far… nothing more… L n  Collection of ISP communities at www.onesc.net/communities n  www.nanog.org/meetings/nanog40/presentations/

BGPcommunities.pdf p  ISP policy is usually published

n  On the ISP’s website n  Referenced in the AS Object in the IRR

171

Typical ISP BGP Communities p  X:80 set local preference 80

n  Backup path p  X:120 set local preference 120

n  Primary path (over ride BGP path selection default) p  X:1 set as-path prepend X

n  Single prepend when announced to X’s upstreams p  X:2 set as-path prepend X X

n  Double prepend when announced to X’s upstreams p  X:3 set as-path prepend X X X

n  Triple prepend when announced to X’s upstreams p  X:666 set ip next-hop 192.0.2.1

n  Blackhole route - very useful for DoS attack mitigation

172

Sample Router Configuration (1) router bgp 100 neighbor y.y.y.y remote-as 130 neighbor y.y.y.y route-map customer-policy-in in neighbor z.z.z.z remote-as 200 neighbor z.z.z.z route-map upstream-out out ! ip community-list 1 permit 100:1 ip community-list 2 permit 100:2 ip community-list 3 permit 100:3 ip community-list 4 permit 100:80 ip community-list 5 permit 100:120 ip community-list 6 permit 100:666 ! ip route 192.0.2.1 255.255.255.255 null0

173

Black hole route (on all routers)

Upstream BGP

Customer BGP

Sample Router Configuration (2) route-map customer-policy-in permit 10 match community 4 set local-preference 80 ! route-map customer-policy-in permit 20 match community 5 set local-preference 120 ! route-map customer-policy-in permit 30 match community 6 set ip next-hop 192.0.2.1 ! route-map customer-policy-in permit 40 ...etc...

174

Sample Router Configuration (3) route-map upstream-out permit 10 match community 1 set as-path prepend 100 ! route-map upstream-out permit 20 match community 2 set as-path prepend 100 100 ! route-map upstream-out permit 30 match community 3 set as-path prepend 100 100 100 ! route-map upstream-out permit 40 ...etc...

175

ISP Example: Sprint

176

More info at https://www.sprint.net/index.php?p=policy_bgp

ISP Example: Verizon Business Europe

177

aut-num: AS702 descr: Verizon Business EMEA - Commercial IP service provider in Eur remarks: VzBi uses the following communities with its customers: 702:80 Set Local Pref 80 within AS702 702:120 Set Local Pref 120 within AS702 702:20 Announce only to VzBi AS'es and VzBi customers 702:30 Keep within Europe, don't announce to other VzBi AS 702:1 Prepend AS702 once at edges of VzBi to Peers 702:2 Prepend AS702 twice at edges of VzBi to Peers 702:3 Prepend AS702 thrice at edges of VzBi to Peers Advanced communities for customers 702:7020 Do not announce to AS702 peers with a scope of National but advertise to Global Peers, European Peers and VzBi customers. 702:7001 Prepend AS702 once at edges of VzBi to AS702 peers with a scope of National. 702:7002 Prepend AS702 twice at edges of VzBi to AS702 peers with a scope of National. (more)

ISP Example: Verizon Business Europe

178

(more) 702:7003 Prepend AS702 thrice at edges of VzBi to AS702 peers with a scope of National. 702:8020 Do not announce to AS702 peers with a scope of European but advertise to Global Peers, National Peers and VzBi customers. 702:8001 Prepend AS702 once at edges of VzBi to AS702 peers with a scope of European. 702:8002 Prepend AS702 twice at edges of VzBi to AS702 peers with a scope of European. 702:8003 Prepend AS702 thrice at edges of VzBi to AS702 peers with a scope of European. -------------------------------------------------------------- Additional details of the VzBi communities are located at: http://www.verizonbusiness.com/uk/customer/bgp/ -------------------------------------------------------------- mnt-by: WCOM-EMEA-RICE-MNT source: RIPE

ISP Example: BT Ignite

179

aut-num: AS5400 descr: BT Ignite European Backbone remarks: remarks: Community to Community to remarks: Not announce To peer: AS prepend 5400 remarks: remarks: 5400:1000 All peers & Transits 5400:2000 remarks: remarks: 5400:1500 All Transits 5400:2500 remarks: 5400:1501 Sprint Transit (AS1239) 5400:2501 remarks: 5400:1502 SAVVIS Transit (AS3561) 5400:2502 remarks: 5400:1503 Level 3 Transit (AS3356) 5400:2503 remarks: 5400:1504 AT&T Transit (AS7018) 5400:2504 remarks: 5400:1506 GlobalCrossing Trans(AS3549) 5400:2506 remarks: remarks: 5400:1001 Nexica (AS24592) 5400:2001 remarks: 5400:1002 Fujitsu (AS3324) 5400:2002 remarks: 5400:1004 C&W EU (1273) 5400:2004 <snip> notify: [email protected] mnt-by: CIP-MNT source: RIPE

And many many more!

ISP Example: Level 3

180

aut-num: AS3356 descr: Level 3 Communications <snip> remarks: ------------------------------------------------------- remarks: customer traffic engineering communities - Suppression remarks: ------------------------------------------------------- remarks: 64960:XXX - announce to AS XXX if 65000:0 remarks: 65000:0 - announce to customers but not to peers remarks: 65000:XXX - do not announce at peerings to AS XXX remarks: ------------------------------------------------------- remarks: customer traffic engineering communities - Prepending remarks: ------------------------------------------------------- remarks: 65001:0 - prepend once to all peers remarks: 65001:XXX - prepend once at peerings to AS XXX <snip> remarks: 3356:70 - set local preference to 70 remarks: 3356:80 - set local preference to 80 remarks: 3356:90 - set local preference to 90 remarks: 3356:9999 - blackhole (discard) traffic <snip> mnt-by: LEVEL3-MNT source: RIPE

And many many more!

ISP Example: NTT

More info at www.us.ntt.net/about/policy/routing.cfm

Creating your own community policy p Consider creating communities to give

policy control to customers n  Reduces technical support burden n  Reduces the amount of router reconfiguration,

and the chance of mistakes n  Use the previous ISP and configuration

examples as a guideline

Conclusion: Communities p Communities are fun! J p And they are extremely powerful tools p  Think about community policies, e.g. like

the additions described here p Supporting extensive community usage

makes customer configuration easy p Watch out for routing loops!

183

Summary

Summary p Multihoming is not hard, really…

n  Keep It Simple & Stupid! p  Full routing table is rarely required

n  A default is often just as good n  If customers want 430k prefixes, charge them

money for it

BGP Multihoming Techniques

End of Tutorial

Date post:	15-Aug-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times